Vulnerability-based remediation selection

ABSTRACT

A machine-actionable memory comprises one or more machine-actionable records arranged according to a data structure. Such a data structure may include links that respectively map between a remediation, at least one action, and at least two vulnerabilities. A method of selecting a remediation, that is appropriate to a vulnerability which is present on a machine to be remediated, may include: providing a machine-actionable memory as mentioned above; and indexing into the memory using: a given vulnerability identifier to determine (A) at least one of a remediation mapped thereto and (B) at least one action mapped to the given vulnerability identifier; and/or a given remediation to determine at least two vulnerabilities mapped thereto.

CONTINUITY AND PRIORITY

This application is a continuation of a copending U.S. patentapplication having Ser. No. 10/897,402, filed Jul. 23, 2004, theentirety of which is hereby incorporated by reference and for whichpriority is claimed under 35 U.S.C. §120.

BACKGROUND OF THE PRESENT INVENTION

Attacks on computer infrastructures are a serious problem, one that hasgrown directly in proportion to the growth of the Internet itself. Mostdeployed computer systems are vulnerable to attack. The field ofremediation addresses such vulnerabilities and should be understood asincluding the taking of deliberate precautionary measures to improve thereliability, availability, and survivability of computer-based assetsand/or infrastructures, particularly with regard to specific knownvulnerabilities and threats.

Remediation is based upon knowledge of vulnerabilities. There are manysources of information regarding vulnerabilities, which can be organizedinto three source categories: non-fee-based open source; non-fee-basedcomputer-vendor; and fee-based vulnerability assessment vendor (VAV).Among the non-fee-based open-sources, the CERT® Coordination Center(hereafter, CERT®), which was the first computer security incidentresponse team (established in November 1988 after a Cornell Universitygraduate student released the “Morris Worm,” which brought down much ofthe Internet and demonstrated the growing network's susceptibility toattack), provides some of the most complete information available aboutcomputer system vulnerabilities. For example, an incident report fromCERT® about a vulnerability generally includes: a description of it (andtypically a list of one or more identifiers associated with it); acharacterization of its impact upon a susceptible system; one or moresuggested remediations (“solutions” according to CERT® phraseology); andlinks to other sources of information about it.

SUMMARY OF THE PRESENT INVENTION

At least one embodiment of the present invention provides amachine-actionable memory comprising one or more machine-actionablerecords arranged according to a data structure. Such a data structuremay include links that respectively map between a remediation, at leastone action, and at least two vulnerabilities. For example, the links ofthe data structure respectively can map between: a R_ID field, thecontents of which denote an identification (ID) of a remediation (R_ID);at least one ACT_ID field, the contents of which denotes an ID of anaction (ACT_ID); and at least two V_ID fields, the contents of whichdenote IDs of vulnerabilities (V_IDs).

At least one other embodiment of the present invention provides a methodof selecting a remediation that is appropriate to a vulnerability whichis present on a machine to be remediated. Such a method may include:providing a machine-actionable memory as mentioned above; and indexinginto the memory using a given vulnerability identifier to determine (A)at least one of a remediation mapped thereto and (B) at least one actionmapped to the given vulnerability identifier.

At least one other embodiment of the present invention provides a methodof selecting a remediation that is appropriate to a vulnerability whichis present on a machine to be remediated. Such a method may include:providing a machine-actionable memory as mentioned above; and indexinginto the memory using a given remediation to determine at least twovulnerabilities mapped thereto.

At least two other embodiments of the present invention provide machinesconfigured to implement the methods mentioned above, respectively.

At least two other embodiments of the present invention provide amachine-readable medium comprising instructions. execution of which by amachine selects a remediation that is appropriate to a vulnerabilitywhich is present on a machine to be remediated, as in the selectionmethods mentioned above, respectively.

Additional features and advantages of the present invention will be morefully apparent from the following detailed description of exampleembodiments, the accompanying drawings and the associated claims.

BRIEF DESCRIPTION OF THE DRAWINGS

The drawings are: intended to depict example embodiments of the presentinvention and should not be interpreted to limit the scope thereof. Inparticular, relative sizes of the components of a figure may be reducedor exaggerated for clarity. In other words, the figures are not drawn toscale.

FIG. 1 is a block diagram of an architecture 100 for a remediationsystem into which embodiments of the present invention can beincorporated, making system 100 itself represent at least one embodimentof the present invention.

FIGS. 2A-2B are flowcharts that depict such a mechanism that facilitatestranslation of the plethora of suggested remediations and their relatedinformation into a machine-actionable format in the form of a method ofmapping a remediation to a plurality of vulnerabilities, according to atleast one embodiment of the present invention.

FIG. 3 is a tree-hierarchy diagram illustrating genus/sub-genus/ . . ./species relationships in which the species would be assigned T_IDs,according to at least one embodiment of the present invention.

FIG. 4 is a flow diagram illustrating a method for obtaining an eligibleR_ID list can be obtained, according to at least one embodiment of thepresent invention.

FIG. 5 is a flow diagram illustrating a vulnerability-based method ofremediation selection, and a method of remediation deployment, accordingto at least one embodiment of the present invention.

FIG. 6A depicts a database structure illustrating data relationships ina machine-actionable memory that represent mappings between R_IDs, V_IDsand ACT_IDs, according to at least one embodiment of the presentinvention.

FIG. 6B is an alternative depiction of the database structure of FIG.

6A as a table 602′, again illustrating data relationships in amachine-actionable memory that represent mappings between R_IDs, V_IDsand ACT_IDs, according to at least one embodiment of the presentinvention.

FIG. 6C depicts an alternative of the database structure of FIG. 6A,namely a database structure illustrating data relationships in amachine-actionable memory that represent mappings between R_IDs, V_IDs,ACT_IDs and T_IDs, according to at least one embodiment of the presentinvention.

FIG. 6D depicts an alternative of the database structure of FIG. 6A,namely a database structure illustrating data relationships in amachine-actionable memory that represent mappings between R_IDs, V_IDs,ACT_IDs and CE_IDs, according to at least one embodiment of the presentinvention.

FIG. 6E is a quasi-flow diagram that depicts a specific type of indexinginto the table of FIG. 6B, 602′, according to at least one embodiment ofthe present invention.

FIG. 6F is a quasi-flow diagram that depicts another specific type ofindexing into table 602′, according to at least one embodiment of thepresent invention.

It is noted that the following discussion does not address FIGS. 1-6F innumerical order. Rather, the Figures are substantively addressed in thefollowing order: 1; 3; 4; 2A; 6A; 6B; 6C; 6D; 2B; 6E; 6F; and 5.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

In developing the present invention, the following problems with theBackground Art were recognized and a path to a solution identified.There are at least two problems associated with the vulnerabilityinformation currently available from the Background Art sources, e.g.,from CERTFirst, none of the suggested remediations is provided in ansubstantially machine-actionable, much less anautomatically-machine-actionable format. Rather, the suggestedremediation is presented in prose that requires substantial involvementof a human participant in order to implement. Second, the suggestedremediations typically do not address the nuances of theirimplementations across significantly different technologies (e.g., UNIXin the context of an Intel® architecture versus a Motorola®architecture), much less closely related technologies (e.g., Windows® 32bit vs. 64 bit architectures in the context of an Intel® architecture,or Windows® 2000 vs. Windows® 98 vs. Windows NT®, etc.). A mechanism(here, the computer-context of mechanism is being used, which derivesfrom the machine metaphor used in sciences concerned with man) which canfacilitate translation of the plethora of suggested remediations andtheir related information into a machine-actionable format would helpthe consolidation and accessibility of such information. Also, amechanism which can facilitate differentiation of related remediationsaccording to technology would improve the practicality of the suggestedremediations. Respective embodiments of the present invention providesuch mechanisms.

FIG. 1 is a block diagram of an architecture 100 for a remediationsystem into which embodiments of the present invention can beincorporated, making system 100 itself represent at least one embodimentof the present invention.

Architecture 100 includes: a server 102 (having one or more processors103A and a volatile memory 103B); a database (DB) of remediations 104; aDB of assets 106; a group 108 of networked assets, where generalizednetworked communication is represented by path 112; and various knownsources of vulnerability information 114. Examples of assets in group108 include printers, computers (also referred to as PCs), switches,routers, network-attached storage (NAS) devices, etc. Group 108 can begeneralized as including devices having some measure ofprogram-code-based operation, e.g., software, firmware, etc., which canbe manipulated in some way via an instance of a communication, e.g.,arriving via path 12, and as such can be vulnerable to attack.

Server 102 can be a component of the network to which group 108represents assets. DBs 106 and 108 can be local non-volatile memoryresources of server 102. Remediation DB 106 can be a local copy of acorresponding remediation DB created, maintained and/or updated by aremote remediation service provider.

Each of the various networked assets in group 108 is depicted asincluding a light weight sensor (LWS) 109. Each LWS 109 and server 102adopt a client-server relationship. Operation of each LWS 109 caninclude gleaning information about its host-asset and sending suchinformation to server 102; and receiving remediations in anautomatically-machine-actionable format from server 102 andautomatically implementing the remediations upon its host-asset.

Such an automatically-machine-actionable remediation can take the formof a sequence of one or more operations that automatically can becarried out by the host asset. Such operations can be invoked by one ormore machine-language commands, e.g., one or more Java byte codes.

Server 102 prepares and sends remediations to the various assets ofgroup 108 based upon vulnerability information received from sources 114thereof, remediation database 104 and asset database 106. At anintermediate stage in the preparation, an eligible remediationidentification (R_ID) list unit 126 in server 102 produces a list ofeligible R_IDs. Unit 126 can be a part of the one or more processors103A, e.g., a service running thereon.

Tables 118, 120, 122 and 124 are depicted in server 102 to represent howserver 102 uses information in DBs 104 and 106 to generate the inputs tounit 126. Tables 118-124 can represent copies, that are kept in volatilememory (not depicted) of server 102, of some or all of the data in DBs104 and 106. Or, tables 118-124 can merely be a symbolic depiction of adatabase query to DBs 104 and 106, respectively.

The vulnerability information from sources 114 can be in the form oftables 116 or easily tabulated into tables 116. Regardless, tables 116generally do not contain much in the way of machine-actionable data.Each table 116 describes a given vulnerability and will typicallyinclude at least: a field for a vulnerability identification number(V_ID), a field for a prose technology genus (TGEN); and a field for aprose description of the vulnerability. By analyzing tables 116, each oftable 118 and table 120 can be developed, as will be discussed below.

Table 118 maps V_IDs used by sources 114 to corresponding remediationidentification numbers (R_IDs) according to some common aspect ofvulnerability, respectively. In table 118, many remediations can map toone vulnerability, and many vulnerabilities can map to one remediation.Table 118 can be indexed using a given V_ID, e.g., V_ID1, to obtain thecorresponding R_ID, e.g., R_ID1, as reflected by paths 140 and 142 inFIG. 1.

Table 120 maps TGEN identification numbers (TGEN_IDs) to identificationnumbers of technology species thereof (T_IDs). The relationships intable 120 can be analogized to the more familiar tree hierarchy.

FIG. 3 is a tree-hierarchy diagram illustrating genus/sub-genus/. . ./species relationships in which the species would be assigned T_IDs,according to at least one embodiment of the present invention.

More particularly, FIG. 3 assumes an example of the Microsoft®Corporation and its Windows® family of operating systems. In FIG. 3,Microsoft® is the genus, Windows® is a sub-genus, Windows® 2000 is asub-genus reporting to Windows®, Windows® 2000 SP0 is a first species,Windows® 2000 SP1 is a second species, Windows® 2000 SP2 is a secondspecies, etc.

Again, table 120 represents a mapping of genus/sub-genus/ . . . /speciesrelationships that can be found in a tree-hierarchy diagram. Upondetermining the TGEN_ID for the TGEN of table 116, table 120 can beindexed (see path 144) using the TGEN_ID to obtain (see path 146) thecorresponding one or more T_IDs, T_ID(0), . . . ,T_ID(M−1).

Table 122 is a table of remediations that can be obtained via use of themechanism (mentioned above and discussed further below) that facilitatestranslation of the plethora of suggested remediations and their relatedinformation into a machine-actionable format, and via use of themechanism (mentioned above and discussed further below) that facilitatesdifferentiation of related remediations according to technology. For agiven remediation R_ID, table 122 provides one or more actionidentification numbers (ACT_IDs) corresponding to actions that, incombination, can mitigate a corresponding vulnerability. Depending uponthe technology T_ID, the group of one or more action ACT_IDs for aremediation R_ID might differ. In table 122, dashed rectangle 123encompasses a group of ACT_IDs, namely ACT_ID(1), . . . , ACT_ID(M−1),that correspond to technology T_ID(j) for a given vulnerability.

Table 122 can be constructed, e.g., by analyzing, coordinating anddistilling the information in tables 116 (obtained, again, from sources114). In particular, one performing such analyzing, coordinating anddistilling should be alert to recognizing any aspects of relatedness fortwo or more of tables 116 so that such relatedness can be translatedinto relational links that include: links between V_IDs & R_IDs; andR_IDs, T_IDs and groups of ACT_IDs whose correspondence to the R_IDsexhibits variation in dependence upon the T_IDs, respectively.

Table 122 can be indexed with the R_ID output of table 118 (see path142) and the one or more T_IDs output from table 120 (see path 146) inorder to obtain a collection of R_IDs that might mitigate thevulnerability V_ID of table 116. This collection of R_IDs is provided tounit 126, which filters the collection to obtain a list of R_IDs thatare eligible for deployment to LWSs 109 that are deployed on the assetsof group 108.

It should be understood that table 122 in FIG. 1 includes one or moremachine-actionable records (a type of map implementation) 123 arrangedaccording to a data structure, where the data structure includes linksthat respectively map between: a R_ID field, the contents of whichdenote an identification (ID) of a remediation (R_ID); at least one T_IDfield, the contents of which denotes an ID of at least two technologies(T_IDs), respectively; and a at least one ACT_ID field, the contents ofwhich denote IDs of actions (ACT_IDs), respectively.

More particularly, at least one of the data structures in table 122further includes: a plurality of ACT_ID fields, the contents of whichdenote a plurality of ACT_IDs, respectively; at least one SS linkrelating the plurality of ACT_ID fields; at least one T-SS link betweenthe at-least-one T_ID field and the at-least-one subset, respectively;and at least on R-SS link between the R_ID field and the at-least-onesubset.

Typically, but not necessarily, the data structure for records in table122 would include at least two of the T_ID fields, the contents of whichdenote least two T_IDs, respectively. Similarly typically, but notnecessarily, the data structure for records in table 122 would include:two or more of the SS links, the two-or-more SS links relating one ormore of the plurality of ACT_ID fields as subsets, respectively, of theplurality of ACT_ID fields; at least two of the T-SS links, the at-leasttwo T-SS links being between the at-least-two T_ID fields and thetwo-or-more subsets, respectively; and at least two of the R-SS links,the at-least-two R-SS links being between the R_ID field and thetwo-or-more subsets, respectively.

Table 122 optionally can be expanded to include a field, the contents ofwhich denote a value that is indicative of a degree to whichimplementing the remediation on a machine is invasive thereof(hereafter, an invasiveness value). The invasiveness-value correspondingto the invasiveness field can represent a point on a continuum ofinvasiveness which, e.g., classifies patching an operating system asbeing a more invasive type of remediation and classifies editing a fileas being a less invasive type of remediation. Such a continuum ofinvasiveness could also classify editing a registry value as being amoderately invasive type of remediation.

Occasionally, an instance of table 116 is sufficiently detailed suchthat one or more T_IDs can be identified and a mapping (as indicated bypaths 150 and 152) made therebetween. Table 124 represents the result ofsuch a mapping. Table 124 can be indexed using a given V_ID to obtain alist of one or more corresponding T_IDs, if such a list exists. Then thelist is provided to unit 126.

FIG. 4 is a flow diagram illustrating a method for obtaining an eligibleR_ID list can be obtained, according to at least one embodiment of thepresent invention. The flow diagram of FIG. 4 can be implemented, e.g.,by server 102.

At reference No. 402, a single V_ID is obtained from, e.g., an instanceof a table 116. Table 118 is then indexed (see path 140) using thesingle V_ID to obtain a list L1 of R_IDs at reference No. 403. If thisis the first instance of encountering the V_ID, then it is determinedwhether an aspect of the vulnerability is common to any other V_IDs. Ifnot, then this is a circumstance in which a new remediation arises forwhich a new R_ID is assigned to the vulnerability. But if there is anaspect to the current vulnerability that is common to at least one otherV_ID, then the current V_ID is assigned to the R_ID associated with thecommon aspect of vulnerability. List L1 (obtained at 403) is then usedto index (see path 142) into table 122 to obtain a list L2 of T_IDs &R_IDs at reference No. 404.

At reference No. 406, a single TGEN (again, prose technology genus) isobtained from, e.g., the same instance of table 116. At reference No.408, the TGEN_ID (again, TGEN identification number) corresponding tothe TGEN of 406 is obtained. Typically, the TGEN will have beenencountered before such that the corresponding TGEN_ID will alreadyexist. But if not, then a new TGEN_ID is generated.

The TGEN_ID of 408 is used to index (see path 144) into table 120 toobtain a list L3 of T_IDs at reference No. 409. As indicated by symbol410 (representing a logical AND operation), lists L2 and L3 are ANDedtogether, e.g., in the context of a database operation. Assuming thatsets of parameters are associated with records, respectively, then adatabase type of AND operation is typically performed upon a subset ofthe parameters, and all parameter members of the sets associated withthe records indicated by the AND operation are retained, not just theparameters upon which the AND operation is conducted.

The result obtained at AND 410 is a reduced collection of R_ID & T_IDpairs at reference No. 412. Meanwhile, at reference No. 414, the samesingle V_ID is indexed (see path 150) into table 124 to obtain atreference No. 416 a list L4 (if available) of T_IDs corresponding to thesingle V_ID. As indicated by logical AND symbol 418, the collection andlist L4 are ANDed together (e.g., in the database sense of an ANDoperation) to obtain an eligible R_ID list at reference No. 420.

Each R_ID indicated as eligible by its presence on the list can bedifferentiated according to T_ID so as to yield, potentially, differentgroups of ACT_IDs for different T_IDs even though the R_ID is the same.This can be described as variations of the R_ID. As such, each R_ID onthe eligible-list exhibits or carries forward the robustness of themapping represented by table 122.

Alternative patterns of flow in FIG. 4 are possible. It is noted thatlist L2 is used to reduce (typically, but not necessarily) the number ofT_IDs on list L2, and then subsequently list L4 is used to reduce(typically, but not necessarily) the number of T_IDs in the collection.As an example of an alternative, list L4 could be used at first toreduce (typically, but not necessarily) list L2, and then subsequentlylist L3 could be used for further reduction (which is typically, but notnecessarily expected to result). Other alternatives are possible.

In other words, FIG. 4 is a flow diagram of a method (according to atleast one embodiment of the present invention) for selecting aremediation that is appropriate to a technology present on a machine tobe remediated. Such a method includes: providing a machine-actionablememory that includes one or more machine-actionable records like, e.g.,table 122; and indexing into the memory using a given R_ID value and agiven T_ID value to determine values of one or more ACT_IDscorresponding to the given R_ID value and appropriate to the given T_IDvalue. The given R_ID value can be obtained upon receiving a V_ID anddetermining, e.g., via using table 118, a R_ID associated/mapped-to theV_ID.

FIGS. 2A-2B are flowcharts that depict such a mechanism (namely, thatfacilitates translation of the plethora of suggested remediations andtheir related information) into a machine-actionable format in the formof a method of mapping a remediation to a plurality of vulnerabilities,according to at least one embodiment of the present invention. Indeveloping the present invention, it was recognized that a remediationthat works for a first vulnerability typically works for multiplevulnerabilities. This is contrary to the thinking of the Background Art,which presumes a 1:1 relationship between a vulnerability and aremediation.

In FIG. 2A, flow begins at block 200 and goes to block 202, where thesusceptibility of a machine, M, to a given vulnerability having V_ID1 isassessed. It is assumed that a remediation having remediationidentification (R_ID) 1 (R_ID1) has been identified for V_ID1.

Because information concerning a vulnerability that is providedaccording to the Background Art typically does not address the nuancesof implementing a suggested remediation across different technologies,it was recognized (during development of the present invention) that itis prudent to confirm that a specific technology is susceptible to aparticular vulnerability. For example, assume a vulnerability isdescribed for the Windows® operating system. Let's refer to the Windows®operating system as a technology genus. A prudent approach tests amachine (a test-subject) configured to each of the technology species ofthe genus (and any sub-species) because species susceptibility is notnecessarily true where genus susceptibility is initially indicated.Continuing the example, some species technologies that should be testedfor susceptibility to vulnerability V_ID1 include: Windows® 2000 servicepack zero (SPO); Windows® 2000 SP1; Windows® 2000 SP2, etc.; Windows® 98SPO; Windows® 98 SP1; etc.; Windows NT® SPO; Windows NT® SP1; etc.

In FIG. 2A, the test-subject is depicted as a machine M (252) that hasbeen configured initially to a particular technology TD1, and isbidirectionally coupled to a tester-host 250. Tester-host 250 can be atypical computer (also referred to as a PC). Typical hardware componentsfor tester-host 250 include a CPU/controller, an I/O unit, volatilememory such as RAM and non-volatile memory media such disk drives and/ortape drives, ROM, flash memory, etc.

Susceptibility testing can correspond to some of the aspects of a methodrepresented by blocks 200-230 of FIGS. 2A-2B, which can be implementedvia software that runs on tester-host 250. This relationship betweenblocks 200-230 and tester-host 250 is depicted by a bracket 248 in FIG.2A that calls out blocks 200-212. For simplicity of depiction, neither acorresponding bracket nor tester-host 250 has been depicted in FIG. 2B.

In block 202, it is assumed that non-remediated machine M (252) has beenconfigured to include at least technology T_ID1. Tester-host 250 scansnon-remediated machine M (252) to assess its susceptibility tovulnerability V_ID1 using known vulnerability scanning software. In mostinstances where susceptibility to vulnerability V_ID1 is confirmed, oneor more additional vulnerabilities (e.g., V_ID2, . . . , V_IDn) ofmachine M (252) are identified. The result of the scan can be organizedas a first set, S1, of vulnerabilities.S1={V_ID1, V_ID2, . . . , V_IDn}  (1)

Flow proceeds to block 204, where tester-host 250 implements remediationR_ID1 upon machine M (252). Next, at block 206, tester-host 250 scansremediated machine M (252) to assess its susceptibility to vulnerabilityV_ID1. Typically, the remediation will mitigate (reduce or eliminate)the susceptibility. The testing of block 206, in effect, confirms theefficacy of the remediation if V_ID1 is no longer present in the outputof the scan. As before, the scan output is organized as a second set,S2, of vulnerabilities that, typically, is a subset of the first set. S2could, but will not necessarily, be empty.S2⊂S1, where V_ID1∉S2   (2)

Flow proceeds to block 208, where tester-host 250 creates a mappingbetween R_ID1 and two or more V_ID members of S1 based upon differencesbetween S1 and S2. This mapping is reflected in table 118 of FIG. 1. Inmore detail, block 208 can include blocks 210 and 212. Flow can proceedfrom block 206 to block 210, where tester-host 250 (or another computerhaving access to S1 and S2) eliminates V_ID members of S1 that are alsomembers of S2. This forms a remainder set D1.D1⊂S1, where V_ID1∉D1 but ∉S2   (3)At block 212, tester-host 250 (or another computer having access to S1and S2) can create the mapping to be between R_ID1 and the V_ID membersof set D 1.

FIG. 6A depicts a database structure 602 illustrating data relationshipsin a machine-actionable memory that represent mappings between R_IDs,V_IDs and ACT_IDs, according to at least one embodiment of the presentinvention. As such, database structure 602 illustrates a particular typeof machine-actionable memory arranged according to a particular datastructure.

More particularly, FIG. 6A can represent, at least in part, the mappingbetween R_ID1 and the V_ID members of set D1. Unlike the depictions(e.g., in FIG. 1) of the various tables mentioned above, databasestructure 602 is depicted as a UML-type database structure. This shouldbe understood to mean that database structure 602 represents an at leastM×N array, e.g., M rows and N columns where M and N are integers. The Nlabels in box 603 denote the columns (not depicted) in the array denotedby database structure 602, where there is a column for each label. A row(not depicted) of the array denoted by database structure 602corresponds to a combination of values of the respective columns calledout by box 603.

Box 603 indicates that database structure 202 can include, e.g., thefollowing columns: R_ID; V_ID; ACT_ID; and TRANSACT_CTL_NUM (a surrogatekey to uniqueness of rows in database structure 602). FIG. 6B (to bediscussed below) presents an alternative depiction of database structure602.

According to the thinking in the Background Art, only one remediation isassociated with one vulnerability. As such, the V_ID members of S1 otherthan V_ID1 are of no concern to the Background Art. To use an analogy,the Background Art would view the V_ID members of S1 other than V_ID1 asthe chaff from which a kernel of wheat (V_ID1) is to be separated. TheBackground Art would fail to recognize that (typically) there are one ormore other kernels of wheat in the chaff. The flowchart of FIG. 2Aillustrates a method of gleaning the chaff to obtain the extra wheat.Those extra kernels of wheat are the V_ID members of set D1 other thanV_ID1. The other members of set D1 correspond to other vulnerabilitiesthat remediation R_ID1 can mitigate. An advantage to the mapping ofblock 212 is that it can substantially increase the arsenal ofremediations available and/or significantly reduce the number ofremediations needed to mitigate a collection of vulnerabilities.

FIG. 6B depicts a table 602′ illustrating data relationships in amachine-actionable memory that represent mappings between R_IDs, V_IDsand ACT_IDs, according to at least one embodiment of the presentinvention. As such, table 602′ illustrates a particular type ofmachine-actionable memory arranged according to a particular datastructure.

Table 602′ is a version of database structure 602, albeit depicted as atable instead of a UML-type database structure. Further, for purposes ofillustration, table 602′ has been populated with fictitiousrepresentations of values for the respective column entries. Review oftable 602′ reveals, among other things, the following: dashed block 604concerns R_ID=R844, which is mapped to V_ID=V48765, and which (for agiven T_ID) can be implemented by three ACT_IDs (namely A20458, A13423and A54633), hence block 604 encloses three rows; and RID=R844 maps toat least two V_IDs, namely, V_ID=V48765 and V_ID=V49503.

As an alternative, the database structure 602 can be modified to extendthe mapping to include T_IDs. FIG. 6C depicts such an alternative,namely database structure 606 illustrating data relationships in amachine-actionable memory that represent mappings between R_IDs, V_IDs,ACT_IDs and T_IDs, according to at least one embodiment of the presentinvention. As such, database structure 606 illustrates a particular typeof machine-actionable memory arranged according to a particular datastructure. Box 608 includes the labels of box 603, plus the label T_ID.

As another alternative, the database structure 602 can be modified toextend the mapping to include asset identifications, e.g., CE_IDs. Theterm CE_ID is an acronym for an identification (ID) of a given LWS 109loaded on a given host-asset, and where each instance of a host-asset16X can be described as a client environment (CE). FIG. 6D depicts suchan alternative, namely database structure 610 illustrating datarelationships in a machine-actionable memory that represent mappingsbetween R_IDs, V_IDs, ACT_IDs and CE_IDs, according to at least oneembodiment of the present invention. As such, database structure 610illustrates a particular type of machine-actionable memory arrangedaccording to a particular data structure. Box 612 includes the labels ofbox 603, plus the label CE_ID, and optionally (as indicated by thedashed box therearound) the label T_ID. Of course, other alternativeversions of database structure 602 are contemplated.

Discussion now turns to FIG. 2B, which is a continuation of FIG. 2A.

FIG. 2B extends the method of FIG. 2A to include testing that confirmsthe efficacy of R_ID1 for the V_ID members of set D1. Flow can proceedfrom block 208/212 of FIG. 2A to block 214 of FIG. 2B, where tester-host250 (or another computer having access to S1 and S2) determines whatadditional technologies beyond T_ID1 are associated with the memberV_IDs of D1 in order to form a set, T.T1={T_ID1, T_ID2, . . . , T_IDm}  (4)

At block 215, tester-host 250 augments non-remediated machine M (252) toadd technologies T_ID2, . . . , T_IDm of set T, resulting in a secondversion M′ of machine M (252). At block 216, tester-host 250 scansnon-remediated machine M′ (252) to assess its susceptibility tovulnerability V_ID1. As before, this should yield a third set S3 that isthe same as or similar to S1.S3={V_ID1, V_ID2, . . . , V_IDn}  (5)

Flow proceeds to block 218, where tester-host 250 implements remediationR_ID1 upon machine M′ (252). Next, at block 220, tester-host 250 scansremediated machine M′ (252) to assess its susceptibility tovulnerability V_ID1. Typically, the remediation will mitigate thesusceptibility to all of the vulnerabilities of residual set D1. Thetesting of block 220, in effect, confirms the efficacy of theremediation if all of the member V_IDs of set D1 are no longer presentin the output of the scan. As before, the scan output, typically, is asubset S4 of the third set S3. S4 could, but will not necessarily, beempty.S4⊂S3, where V_ID1∉S4   (6)

Flow proceeds to block 222, where tester-host 250 verifies thatremediation R_ID mitigates all of the V_ID members of set D1. Moreparticularly, block 222 can include blocks 224 and 226. Flow can proceedfrom block 220 to block 224, where tester-hoster 250 (or anothercomputer having access to S1 and S2) eliminates V_ID members of set S3that are also members of set S4. This forms a remainder set D2.D2⊂S3, where V_IDi∉D2 but ∉S4   (7)

At block 226, tester-host 250 confirms that none of the V_ID members ofset D2 are present in set D1, e.g., by verifying that the intersectionof sets D1 and D2 is empty.D1∩D2=Ø  (8)After block 222/226, flow ends at block 228.

In FIG. 2A, sets S1 and S2 can include vulnerabilities that correspondto technologies other than T_ID1. Where it is desired to determine ifremediation R_ID1 mitigates vulnerabilities other than V_ID1 only forT_ID1 (or some subset of set T), then flow can pass through optionalblock 230 after leaving block 206 and before arriving at block 208/210.At block 230, tester-hoster 250 (or another computer having access to S1and S2) can form fifth and six sets S5 & S6 from sets S1 and S2,respectively, by selecting only V_ID members of sets S5 and S6 thatcorrespond to technology T_ID1 (or the member technologies of somesubset of set T).

To summarize, a result of the mechanism of FIGS. 2A-2B can berepresented as at least a part of database structure 602. Once databasestructure 602 is created, it can be indexed using a given R_ID to obtainone, two or more V_IDs remediated thereby. Similarly, once databasestructure 602 is created, it can be indexed using a given V_ID to obtaina corresponding R_ID. Again, it is likely that two or more given V_IDswill obtain the same R_ID. The former circumstance is depicted in FIG.6E. The latter circumstance is depicted in FIG. 6F.

FIG. 6E is a quasi-flow diagram that depicts a specific type of indexinginto table 602′, according to at least one embodiment of the presentinvention.

Again, table 602′ of FIG. 6E is a version of database structure 602albeit depicted as a table instead of a UML-type database structure. InFIG. 6E, it is assumed that table 602′ is indexed via R_ID =R844, whichyields/identifies/is-mapped-to two V_IDs, namely V48765 and V49503.Again, for purposes of illustration, table 602′ has been populated withfictitious representations of values for the respective column entries.

FIG. 6F is a quasi-flow diagram that depicts another specific type ofindexing into table 602′, according to at least one embodiment of thepresent invention.

Again, table 602′ of FIG. 6F is a version of database structure 602albeit depicted as a table instead of a UML-type database structure. InFIG. 6F, it is assumed that table 602′ is indexed via V_ID=V48765 and/orV_ID=V49503, both of which yield/identify/are-mapped-to R_ID=R844, whichyields two V_IDs, namely and. Again, for purposes of illustration, table602′ has been populated with fictitious representations of values forthe respective column entries.

A context in which to view the above discussion can be provided byreferring to FIG. 5.

FIG. 5 is a flow diagram illustrating a vulnerability-based method ofremediation selection, and a method of remediation deployment, accordingto at least one embodiment of the present invention.

Flow in FIG. 5 begins at block 500 and proceeds to block 502, which hasthe label “vulnerability-based analysis.” The preceding discussion hasdescribed a vulnerability-based analysis that maps a vulnerability to aremediation, often two or more vulnerabilities to the same remediation.Such a mapping is depicted, e.g., in database structure 602, etc. Thiscan be contrasted with what can be described as a policy-based analysis.

Examples of policy-based analysis are provided in two copendingapplications that are assigned to the same assignee as the presentapplication. The two related copending applications are: U.S. patentapplication Ser. No. 10/933,504 having a U.S. filing date of Sep. 3,2004 and U.S. patent application Ser. No. 10/933,505 having a U.S.filing date of Sep. 3, 2004. The entirety of the '504 patent applicationis hereby incorporated by reference. The entirety of the '505 patentapplication is hereby incorporated by reference.

The output of the vulnerability-based analysis in block 502 can be theeligible R_ID list mentioned above. From block 502, flow proceeds inFIG. 5 to decision block 504, where server 102 can check whether thereare any R_IDs on the list. Typically, one would expect that the listwould contain at least one R_ID. If not, then flow can proceed to block506 where flow stops or re-starts, e.g., by looping back to block 500.But if there is at least one non-null entry in the list of eligibleR_IDs, then flow can proceed to block 507, where server 102 can, e.g.,append pertinent CE_IDs to the list of eligible R_IDs. Doing soidentifies assets that are targets of the R_IDs on the eligible list.For example, server 102 can index into remediation DB 104 using theR_IDs on the eligible list thereof to get a list of corresponding T_IDs,and then use that T_ID list to index into assets DB 106 to get a list ofCE_IDs that have one or more of these T_IDs present. Flow can proceed toblock 508 from block 507.

At block 508, server 102 can create an event object (EVENT)corresponding to each non-null entry in the list of eligible R_IDs. Flowcan then proceed to decision block 510.

At decision block 510, server 102 can determine whether to automaticallydeploy each event object. As each is produced, server 102 can thendetermine whether the object EVENT(i) should be automatically deployed,e.g., based upon an automatic deployment flag set in a record for theR_ID value stored in remediation DB 104. Alternatively, a field labeledAUTO_DEP can be added to each entry in the list of eligible R_IDs, whichwould be carried forward in each object EVENT(i). The administrator ofarchitecture 100 can make the decision about whether a particularremediation should be automatically deployed.

If automatic-deployment is not approved for the remediation of objectEVENT(i), then flow can proceed to block 512 from decision block 510. Atblock 512, server 102 can present information about object EVENT(i) to,e.g., the administrator of architecture 100, who can then decide whetheror not to deploy the remediation. Flow proceeds to block 514 from block512. But if automatic-deployment is approved for object EVENT(i), thenflow can proceed directly to block 514 from decision block 510.

At block 514 of FIG. 5, a point in time at which to deploy objectEVENT(i) is determined. Flow proceeds to block 516, where a deploymentpackage D_PAK(i) corresponding to object EVENT(i) is prepared, e.g., asof reaching the time scheduled for deploying object EVENT(i). Deploymentpackage D_PAK(i) can represent the remediation in anautomatically-machine-actionable format, e.g., (again) a sequence of oneor more operations that automatically can be carried out on a givenhost-asset, e.g., under the control of its LWS 109. Again, suchoperations can be invoked by one or more machine-language commands,e.g., one or more Java byte codes. After deployment package D_PAK(i) iscreated at block 516, flow can proceed to block 518.

At block 518, server 102 can send (or, in other words, push) deploymentpackage D_PAK(i) to the given LWS 109. Flow can proceed from block 518to block 520. At block 520 in FIG. 5, server 102 can monitor theimplementation upon the given host-asset of the remediation representedby deployment package D_PAK(i).

More particularly, interaction between server 102 and the given LWS 109can obtain more information than merely whether deployment packageD_PAK(i) was installed successfully by the given LWS 109 upon itshost-asset. Recalling that a remediation represents one or moreoperations in an automatically-machine-actionable format, it is notedthat a remediation will typically include two or more such operations.LWS 109 can provide server 102 with feedback regarding, e.g., thesuccess or failure of each such operation.

From block 520, flow proceeds to block 522, where the flow ends.

It is noted that a bracket 548 is depicted in FIG. 5 that groupstogether blocks 500-522. And bracket 548 points to a block diagram of atypical computer (also referred to as a PC) 550. Typical hardwarecomponents for computer 550 include a CPU/controller, an I/O unit,volatile memory such as RAM and non-volatile memory media such diskdrives and/or tape drives, ROM, flash memory, etc. Bracket 548 andcomputer 550 are depicted in FIG. 5 to illustrate that blocks 500-502can be carried out by computer 550, where computer 550 can correspond,e.g., to server 102, etc.

Further, the methodologies discussed above can be embodied on amachine-readable medium. Such a machine-readable medium can include codesegments embodied thereon that, when read by a machine, cause themachine to perform the methodologies described above.

Of course, although several variances and example embodiments of thepresent invention are discussed herein, it is readily understood bythose of ordinary skill in the art that various additional modificationsmay also be made to the present invention. Accordingly, the exampleembodiments discussed herein are not limiting of the present invention.

What is claimed is:
 1. A host device comprising: at least one processor;at least one memory device; a network interface device; a sensor programstored in the at least one memory device and executed by the at leastone processor to: automatically assess a current state of the hostdevice to identify a plurality of T_ID fields that each denote anidentification (ID) of a technology species (T) present in the hostdevice; automatically send information representative of the currentstate of the host device to a server via the network interface deviceincluding the identified plurality of T_ID fields; automaticallyreceive, via the network interface device, vulnerability remediationinformation from the server, the vulnerability remediation informationincluding: instructions executable by the processor though the sensorprogram, the instructions including at least one remediation for atleast one vulnerability of the host device and at least a subset of theplurality of identified T_ID fields, the at least one remediationdetermined by the server at least in part by AND operations comprising afirst list of remediation identifications (R IDs) identified using avulnerability identification (V ID) of the at least one vulnerability asa database index for a list of R_IDs ANDed second list of R_IDsidentified using technology genus (T GEN) as an index wherein the T_GENis determined from at least one of the T_ID fields, and further ANDedagainst a third R_IDs identified using the V_ID of the at least onevulnerability as an index; and for each of the T_ID fields of the subsetof the plurality of the identified T_ID fields, a plurality of ACT_IDfields, wherein the content of an ACT_ID field denotes an ID of anaction (ACT); and automatically implement the at least one remediationupon the host device through execution of the instructions of thereceived remediation information to mitigate the at least onevulnerability of the host device.
 2. The host device of claim 1, whereinthe sensor program is further executable by the at least one processorto: reassess the current state of the host device followingimplementation of the at least one remediation on the host device; andsend information representative of the reassessed current state of thehost device to the server via the network interface device.
 3. The hostdevice of claim 1, wherein the host device is a printer.
 4. The hostdevice of claim 1, wherein the vulnerability remediation informationincludes a R_ID denoting an identification (ID) of the at least oneremediation (R).
 5. The host device of claim 1, where the sensor programis further executable by the at least one processor to: receive, via thenetwork interface device, information to be processed during theassessing of the current state of the host device, the receivedinformation identifying a particular vulnerability.
 6. A methodcomprising: automatically assessing a current state of a host device toidentify a plurality of T_ID fields that each denote an identification(ID) of a technology species (T) present in the host device;automatically sending information representative of the current state ofthe host device to a server via a network interface device including theidentified plurality of T_ID fields; automatically receiving, via thenetwork interface: device, vulnerability remediation information fromthe server, the vulnerability remediation information including:instructions executable by a processor of the host device though asensor program implementing the method, the instructions including atleast one remediation for at least one vulnerability of the host deviceand at least a subset of the plurality of identified T^(—)ID fields; andfor each of the T ID fields of the subset of the plurality of identifiedT^(—)ID fields the at least one remediation determined by the server atleast in part by AND operations comprising a first list of remediationidentifications (R IDs) identified using a vulnerability identification(V ID) of the at least one vulnerability as a database index for a listof R_IDs ANDed second list of R_IDs identified using technology genus (TGEN) as an index wherein the T_GEN is determined from at least one ofthe T_ID fields, and further ANDed against a third R_IDs identifiedusing the V_ID of the at least one vulnerability as an index, aplurality of ACT_ID fields, wherein the content of an ACT_ID fielddenotes an ID of an action (ACT); and automatically implementing the atleast one remediation upon the host device through execution of theinstruction of the received remediation information to mitigate the atleast one vulnerability of the host device.
 7. The method of claim 6,further comprising: reassessing the current state of the host devicefollowing implementation of the at least one remediation on the hostdevice; and sending information representative of the reassessed currentstate of the host device to the server via the network interface device.8. The method of claim 6, wherein the host device is a printer.
 9. Themethod of claim 6, wherein the vulnerability remediation informationincludes a R_ID denoting an identification (ID) of the at least oneremediation (R).
 10. The method of claim 6, further comprising:receiving, via the network interface device, information to be processedduring the assessing of the current state of the host device, thereceived information identifying a particular vulnerability.
 11. Amachine-readable storage device, with instructions stored thereon, whichwhen executed by at least one processor, causes a machine to perform amethod comprising: automatically assessing a current state of a hostdevice to identify a plurality of T_ID fields that each denote anidentification (ID) of a technology species (T) present in the hostdevice; automatically sending information representative of the currentstate of the host device to a server via a network interface deviceincluding the identified plurality of T_D fields; automaticallyreceiving, via the network interface device, vulnerability remediationinformation from the server, the vulnerability remediation informationincluding: instructions executable by a processor of the host devicethough a sensor program implementing the method, the instructionsincluding at least one remediation for at least one vulnerability of thehost device and at least a subset of the plurality of identified T_IDfields; and for each of the T ID fields of the subset of the pluralityof identified T_ID fields the at least one remediation determined by theserver at least in part by AND operations comprising a first list ofremediation identifications (R IDs) identified using a vulnerabilityidentification (V ID) of the at least one vulnerability as a databaseindex for a list of R_Ds ANDed second list of R_Ds identified usingtechnology genus (T GEN) as a index wherein the T_GEN is determined fromat least one of the T_D fields, and further ANDed against a third R_IDsidentified using the V_D of the at least one vulnerability as an index,a plurality of ACT_ID fields, wherein the content of an ACT_ID fielddenotes an ID of an action (ACT); and automatically implementing the atleast one remediation upon the host device through execution of theinstruction of the received remediation information to mitigate the atleast one vulnerability of the host device.
 12. The machine-readablestorage device of claim 11, the method further comprising: reassessingthe current state of the host device following implementation of the atleast one remediation on the host device; and sending informationrepresentative of the reassessed current state of the host device to theserver via the network interface device.
 13. The machine-readablestorage device of claim 11, wherein the host device is a printer. 14.The machine-readable storage device of claim 11, wherein thevulnerability remediation information includes a R ID denoting anidentification (ID) of the at least one remediation (R).
 15. Themachine-readable storage device of claim 11, the method furthercomprising: receiving, via the network interface device, information tobe processed during the assessing of the current state of the hostdevice, the received information identifying a particular vulnerability.